Model checking Branching-Time Properties of Multi-Pushdown Systems is Hard

We address the model checking problem for shared memory concurrent programs modeled as multi-pushdown systems. We consider here boolean programs with a finite number of threads and recursive procedures. It is well-known that the model checking problem is undecidable for this class of programs. In this paper, we investigate the decidability and the complexity of this problem under the assumption of bounded context-switching defined by Qadeer and Rehof, and of phase-boundedness proposed by La Torre et al. On the model checking of such systems against temporal logics and in particular branching time logics such as the modal $\mu$-calculus or CTL has received little attention. It is known that parity games, which are closely related to the modal $\mu$-calculus, are decidable for the class of bounded-phase systems (and hence for bounded-context switching as well), but with non-elementary complexity (Seth). A natural question is whether this high complexity is inevitable and what are the ways to get around it. This paper addresses these questions and unfortunately, and somewhat surprisingly, it shows that branching model checking for MPDSs is inherently an hard problem with no easy solution. We show that parity games on MPDS under phase-bounding restriction is non-elementary. Our main result shows that model checking a $k$ context bounded MPDS against a simple fragment of CTL, consisting of formulas that whose temporal operators come from the set {\EF, \EX}, has a non-elementary lower bound

CARET analysis of multithreaded programs

Dynamic Pushdown Networks (DPNs) are a natural model for multithreaded programs with (recursive) procedure calls and thread creation. On the other hand, CARET is a temporal logic that allows to write linear temporal formulas while taking into account the matching between calls and returns. We consider in this paper the model-checking problem of DPNs against CARET formulas. We show that this problem can be effectively solved by a reduction to the emptiness problem of B\"uchi Dynamic Pushdown Systems. We then show that CARET model checking is also decidable for DPNs communicating with locks. Our results can, in particular, be used for the detection of concurrent malware.Comment: Pre-proceedings paper presented at the 27th International Symposium on Logic-Based Program Synthesis and Transformation (LOPSTR 2017), Namur, Belgium, 10-12 October 2017 (arXiv:1708.07854

On Bounded Reachability Analysis of Shared Memory Systems

This paper addresses the reachability problem for pushdown systems communicating via shared memory. It is already known that this problem is undecidable. It turns out that undecidability holds even if the shared memory consists of a single boolean variable. We propose a restriction on the behaviours of such systems, called stage bound, towards decidability. A k stage bounded run can be split into a k stages, such that in each stage there is at most one process writing to the shared memory while any number of processes may read from it. We consider several versions of stage-bounded systems and establish decidability and complexity results

Verification of Asynchronous Programs with Nested Locks

In this paper, we consider asynchronous programs consisting of multiple recursive threads running in parallel. Each of the threads is equipped with a multi-set. The threads can create tasks and post them onto the multi-sets or read a task from their own. In addition, they can synchronise through a finite set of locks. In this paper, we show that the reachability problem for such class of asynchronous programs is undecidable even under the nested locking policy. We then show that the reachability problem becomes decidable (Exp-space-complete) when the locks are not allowed to be held across tasks. Finally, we show that the problem is NP-complete when in addition to previous restrictions, threads always read tasks from the same state

Verifying Quantitative Temporal Properties of Procedural Programs

We address the problem of specifying and verifying quantitative properties of procedural programs. These properties typically involve constraints on the relative cumulated costs of executing various tasks (by invoking for instance some particular procedures) within the scope of the execution of some particular procedure. An example of such properties is "within the execution of each invocation of procedure P, the time spent in executing invocations of procedure Q is less than 20 % of the total execution time". We introduce specification formalisms, both automata-based and logic-based, for expressing such properties, and we study the links between these formalisms and their application in model-checking. On one side, we define Constrained Pushdown Systems (CPDS), an extension of pushdown systems with constraints, expressed in Presburger arithmetics, on the numbers of occurrences of each symbol in the alphabet within invocation intervals (subcomputations between matching pushes and pops), and on the other side, we introduce a higher level specification language that is a quantitative extension of CaRet (the Call-Return temporal logic) called QCaRet where nested quantitative constraints over procedure invocation intervals are expressible using Presburger arithmetics. Then, we investigate (1) the decidability of the reachability and repeated reachability problems for CPDS, and (2) the effective reduction of the model-checking problem of procedural programs (modeled as visibly pushdown systems) against QCaRet formulas to these problems on CPDS

Reasoning about Threads with Bounded Lock Chains

The problem of model checking threads interacting purely via the standard synchronization primitives is key for many concurrent program analyses, particularly dataflow analysis. Unfortunately, it is undecidable even for the most commonly used synchronization primitive, i.e., mutex locks. Lock usage in concurrent programs can be characterized in terms of lock chains, where a sequence of mutex locks is said to be chained if the scopes of adjacent (non-nested) mutexes overlap. Although the model checking problem for fragments of Linear Temporal Logic (LTL) is known to be decidable for threads interacting via nested locks, i.e., chains of length one, these techniques don’t extend to pro-grams with non-nested locks used in crucial applications like databases and device drivers. We exploit the fact that lock usage patterns in real life programs do not produce unbounded lock chains. For such a framework, we show, by using the new concept of Lock Causality Automata (LCA), that pre∗-closures of regular sets of states can be computed efficiently. Leveraging this new technique then allows us to formulate decision procedures for model checking threads communicating via bounded lock chains for fragments of LTL. Our new results narrow the decidability gap for LTL model checking of threads communicating via locks by pro-viding a more refined characterization for it in terms of boundedness of lock chains rather than the current state-of-the-art, i.e., nestedness of locks (chains of length one).

Infinite-State Energy Games

Energy games are a well-studied class of 2-player turn-based games on a finite graph where transitions are labeled with integer vectors which represent changes in a multidimensional resource (the energy). One player tries to keep the cumulative changes non-negative in every component while the other tries to frustrate this. We consider generalized energy games played on infinite game graphs induced by pushdown automata (modelling recursion) or their subclass of one-counter automata. Our main result is that energy games are decidable in the case where the game graph is induced by a one-counter automaton and the energy is one-dimensional. On the other hand, every further generalization is undecidable: Energy games on one-counter automata with a 2-dimensional energy are undecidable, and energy games on pushdown automata are undecidable even if the energy is one-dimensional. Furthermore, we show that energy games and simulation games are inter-reducible, and thus we additionally obtain several new (un)decidability results for the problem of checking simulation preorder between pushdown automata and vector addition systems.Comment: 11 page

Sequentializing Parameterized Programs

We exhibit assertion-preserving (reachability preserving) transformations from parameterized concurrent shared-memory programs, under a k-round scheduling of processes, to sequential programs. The salient feature of the sequential program is that it tracks the local variables of only one thread at any point, and uses only O(k) copies of shared variables (it does not use extra counters, not even one counter to keep track of the number of threads). Sequentialization is achieved using the concept of a linear interface that captures the effect an unbounded block of processes have on the shared state in a k-round schedule. Our transformation utilizes linear interfaces to sequentialize the program, and to ensure the sequential program explores only reachable states and preserves local invariants.Comment: In Proceedings FIT 2012, arXiv:1207.348

Impact of seminal trace element and glutathione levels on semen quality of Tunisian infertile men

<p>Abstract</p> <p>Background</p> <p>Growing evidence indicates that oxidative stress can be a primary cause of male infertility. Non-enzymatic antioxidants play an important protective role against oxidative damages and lipid peroxidation. Human seminal plasma is a natural reservoir of antioxidants. The aim of this study was to determine glutathione (GSH) concentrations, trace element levels (zinc and selenium) and the lipid peroxidation end product, malondialdehyde (MDA), in the seminal plasma of men with different fertility potentials.</p> <p>Methods</p> <p>Semen samples from 60 fertile men (normozoospermics) and 190 infertile patients (74 asthenozoospermics, 56 oligozoospermics, and 60 teratozoospermics) were analyzed for physical and biochemical parameters. Zinc (Zn) and selenium (Se) levels were estimated by atomic absorption spectrophotometry. Total GSH (GSHt), oxidized GSH (GSSG), reduced GSH (GSHr) and MDA concentrations were measured spectrophotometrically.</p> <p>Results</p> <p>Zn and Se concentrations in seminal plasma of normozoospermics were more elevated than the three abnormal groups. Nevertheless, only the Zn showed significant differences. On the other hand, Zn showed positive and significant correlations with sperm motility (P = 0.03, r = 0.29) and count (P < 0.01, r = 0.49); however Se was significantly correlated only with sperm motility (P < 0.01, r = 0.36). GSHt, GSSG and GSHr were significantly higher in normozoospermics than in abnormal groups. We noted a significant association between seminal GSHt and sperm motility (P = 0.03). GSSG was highly correlated to sperm motility (P < 0.001) and negatively associated to abnormal morphology (P < 0.001). GSHr was significantly associated to total sperm motility (P < 0.001) and sperm count (P = 0.01). MDA levels were significantly higher in the three abnormal groups than in normozoospermics. Rates of seminal MDA were negatively associated to sperm motility (P < 0.01; r = -0.24) and sperm concentration (P = 0.003; r = -0.35) Meanwhile, there is a positive correlation between seminal lipid peroxidation and the percentage of abnormal morphology (P = 0.008).</p> <p>Conclusions</p> <p>This report revealed that decreased seminal GSH and trace element deficiencies are implicated in low sperm quality and may be an important indirect biomarker of idiopathic male infertility. Our results sustain that the evaluation of seminal antioxidant status in infertile men is necessary and can be helpful in fertility assessment from early stages.</p